GDPR in the light of the corona pandemic

Under present circumstances, due to the corona virus Covid-19, new situations arise in many workplaces as colleagues are working from home, meetings are canceled and suppliers and public authorities are working with reduced staff. These new situations give rise to new questions regarding the security and the processing of personal data, both as relates to a company’s clients, suppliers and business partners but also as relates to a company’s employees.

We have written this newsletter in order to get to the bottom of some of the most frequently asked questions that are being asked by our clients and business partners about the present situation from a GDPR perspective.

Employers’ responsibility for the employees’ personal data

Due to Covid-19, companies are being subjected to new challenges relating to companies’ responsibility for the personal data of the employees. Personal data that concerns the health of a data subject is considered a special category of personal data. As a main rule, the processing of such special categories of personal data is prohibited by the GDPR. Employers, however, are exempt from the prohibition and may process special categories of personal data if the processing is necessary in order for the employer to carry out its obligations in the field of employment, social security and social protection law. If an employee has contracted Covid-19, the company, as the employer, must decide if and how such information can be processed. It is not, for example, advisable to share information about an employee who has been infected by Covid-19 with clients or others. It is better in these cases to simply state that the employee cannot be reached or that the employee is working from home.

Information about an employee who has “self-quarantined”, i.e. that the employee is working from home instead of from the office as a precaution, is not considered as information pertaining to the person’s health and is not considered a special category of personal data. Information regarding an employee who has been quarantined according to the Swedish Communicable Diseases Act (Swe: Smittskyddslagen) on the other hand is probably considered information about the employee’s health and as such a special category of personal data that can only be processed by an employer if the processing is exempt from the main rule, i.e. if the processing is necessary in order for the employer to carry out its obligations in the field of employment, social security and social protection law.

Security concerns when working outside of the office

In addition to companies’ responsibility for the processing of employees’ personal data, the present circumstances bring certain security risks to light, mainly relating to the fact that many are now working from home as opposed to working in the office. Below, we have listed some things that are important to keep in mind as you move your workplace from the office into your home or some other venue.

  • Be very careful about who has access to and/or may see your computer when working outside of the office. If any third party gets access to the personal data that you are processing, either by gaining physical access to your computer or by reading what is on the screen, this can be considered an unauthorized disclosure of personal data and can constitute a personal data breach.
  • Internet connections via Wi-Fi outside of the office is oftentimes less secure than the Wi-Fi connection at the office. We strongly advise against using any public Wi-Fi, e.g. in a coffee shop or a hotel lobby. Even if you are working from the privacy of your own home you might have to take some precautions to make sure that the Wi-Fi connection is as secure as possible. A first step should be to make sure that your home Wi-Fi network is password protected.
  • It is also important to make sure that any storage devices (i.e. computers, USB-drives, external hard drives) that are brought out of the office are not lost, as such a loss could constitute a personal data breach according to the GDPR.

If you or your company have any questions relating to the GDPR and the corona virus or any other personal data related questions, do not hesitate to contact our GDPR-expert Marcus Appeltofft at +46 (0)733-744053 or at marcus.appeltofft@norelidlaw.com.

The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.